There was another recent discussion on a similar topic here: [webmasterworld.com...]

The UA's shown in your logs can help to decide whether it is a botnet script or individual visits. If the IPs you're seeing are mostly residential ISP type IPs it could be a botnet of compromised computers. As mentioned in that linked post, you may want to block the antique devices via UA blocking.

It helps to share the UAs you're seeing to get useful suggestions.

When you are examining your logs, look for recurring UAs that are requesting different resources (images and .js for example) for the same page, in sequence and using the old mobile UAs. That should give you a good picture of what is going on.

@not2easy, thanks for the reply! Based on your info and that other thread I am now 99% sure these old phone relics are NOT in any way normal users but instead are part of some shady network.
I already did a test with blocking part of the UA for each of those relics phone types and it works great though Cloudflare.
There are only 5 UA's in my case of these relic phone models and NONE of the obvious normal mobile user is using those phone models.
Problem solved, thank you again!

Yeah, I have (had) this too. I can say that 99% of this traffic is fake. I had put a CAPTCHA when the user agent version is 10 versions older than the current version, and I can't remember a single visitor answering the CAPTCHA over a period of 5 years.

I have no idea what is going on with these botnets. These requests do not look like being harmful, they do no look like to try to exploit or seek vulnerability. May be they are used for scrapping content, but I am not sure why someone would make so many requests from so many places all around the world, because, yes, IPs are covering almost all ASN.

So this is a mystery to me.

I had a recent hit from this user-agent:

Mozilla/5.0 (Linux; Android 8.0; Pixel 2 Build/OPD3.170816.012) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.4895.1923 Mobile Safari/537.36

Something in that UA triggered my bot detector. I look for about 40 different string fragments in the UA, if one of them is detected then I return a "I think you're a robot" web page along with a specific jpeg image. 99.999% of the time the jpeg image is not requested, which tells me this was really a bot. If the image is requested, I sort of think there was a live human on the other end of the request.

In this case, there was more than one string fragment that triggered the robot detector. It could have been "OPD3.170816" or "Chrome/5". Any Chrome version under 90 is a bot to me.

And funny thing, they did request the jpeg file.

And one more thing, the IP that this request came from was 72.39.132.30 (Cogeco, a Canadian cable TV/internet ISP). However, running that IP through spur (spur.us/context/72.39.132.30) gives a positive detection for a call-back proxy (actually 2 different proxies or VPN networks). Spur doesn't identify the proxy/vpn network unless you're a paid subscriber.

More than half the time, when I test a "bot" IP like this on Spur, it tests positive for a proxy/vpn. The fact that the vast majority of the time the jpeg image is not requested tells me that proxy/vpn services are mostly used by bots, and they're using real people's devices (home PC's or cell phones) that have installed this or that VPN.

In this case, some Cogeco user has a VPN installed on a device, and some other unknown user somewhere in the world was bouncing their web-surfing off of it.

I wonder how many people know that there are lot of proxy/VPN services out there that will use their IP as an anonymous gateway for other users (or more often, bots).

@SumGuy, I just tested a few of those ip's at Spur and they are all proxy relays.
However I could not find the option on the Spur website to check an ip address, so I used your example url and pasted in the ip's I needed to check.
So...where did you find that option, or where is it located on the Spur website?

I stumbled across the spur proxy check site a year or two ago, I might have gotten the direct-ip-check URL from a web search. If you throw this into google: "spur IP proxy check" without the quotes you'll get more examples of this direct-check method. And once I open a tab in my browser and type a few letters (ie sp ) the browser will auto-fill the last check I made and I just change the IP and hit enter.

Another way to check an ip is with the abused IP data base: www . abuseipdb . com

Another way is with scamalytics: scamalytics . com

I once saw a photograph of a bot farm. It was, literally, a bunch of miscellaneous phones plugged into a panel. You'd think, wouldn't you, that it would be done with a single computer sending out a random selection of spurious UAs ... but apparently not.

That, of course, leads to the opposite phenomenon: a string of unrelated UAs coming in from the same IP.

In my case, hits come from very different IP addresses, different ASN, and different countries. This is so odd.

> I once saw a photograph of a bot farm.

I think I know what you're talking about. But it was a click-farm. Click fraud is a huge component of the business of google, fecebook, etc.